Comments (2)
Cool yeah. I thought the docker image more for example and dev purposes.
The code of the server is also exploitable, it has multiple security flaws as it takes the url arg and puts it on the server as plain text (not escaped). Most arguments are just passed directly to the template. This works fine if you use the lib internally, but the way the args are exposed are a no-go to production.
The sample server is 110% vulnerable to server side template injection.
We would need to sanitize all input variables in the server or the lib maybe to be able to call it production-ready
I would like to see and merge your improvements on the docker image but would just put a big notice that this software is vulnerable and "use at your own risk", until we fix these sanitization issues.
from osm-static-maps.
Thanks for raising that up, I wasn't aware.
Ok I'll work on a PR for the docker image improvements when I have some time.
So then it will be ready for production-ready 😄 waiting for sanitization
from osm-static-maps.
Related Issues (20)
- Add Scale option HOT 1
- Add cache HOT 2
- Read params from env vars and config file
- Review hotlinking allowance
- GeoJSON fill color HOT 3
- Style Customization HOT 3
- Blank backgorund HOT 1
- Crash when adding very large polylines HOT 3
- Allow cli to read geojson from stdin HOT 2
- Heroku app is offline HOT 2
- Top-level declarations in .d.ts files HOT 1
- There is "Application error" in demo HOT 3
- Unknown options.type value: FeatureCollection HOT 1
- Draw circles HOT 1
- osm-static-map doesn't work in docker container HOT 1
- Application crashes without errors on import HOT 2
- Trying to understand how to configure a Vector Tile Layer with the Style.json HOT 1
- vectorserverUrl layers not working
- Add marker icon option HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osm-static-maps.